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IN THE CLAIMS 

1 1. [currently amended, previously amended] A method for securely 

2 communicating packets between a first computer device and a second computer device 

3 through a packet-switched data transmission network comprising intermediate computer 

4 devices, where at least one of said intermediate computer devices may perform 

5 p e rform s a network address translation or and/or a protocol conversion resulting in 

6 alteration of a packet propagating therethrough , the method comprising the steps of 

7 - determining what network address translations or and/or protocol conversions, 

8 if any, occur on packets transmitted in a data path between said the- first 

9 computer device and the- said second computer device on packets transmitted 

1 0 between said first computer device and said second computer device , 

11 - if it is found that network address translations or and/or protocol conversions 

1 2 occur in said a data path between said first computer device and said a second 

1 3 computer device, taking packets conforming to a first protocol and using said first 

14 computer device to encapsulate e ncap s u l at i ng them into packets conforming to a 

1 5 second protocol, wfrteh- said second protocol being is capable of traversing 

1 6 network address translations arid and/or protocol conversions, 

1 7 - transmitting said packets conforming to said second protocol from saidjirst 

1 8 computer device to said.second computer device; and 

1 9 - decapsulating said transmitted packets conforming to said second protocol into 

20 packets conforming to said first protocol. 



1 2. [original] A method according to claim 1 , wherein the step of taking packets 

2 conforming to a first protocol and encapsulating them into packets conforming to a 
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3 second protocol comprises the substeps of 

4 - taking packets conforming to the Internet Protocol, 

5 - processing said packets according to the IPSEC protocol suite and 

6 - encapsulating the processed packets into packets conforming to the User 

7 Datagram Protocol. 

1 3. [original] A method according to claim 1 , wherein the step of taking packets 

2 conforming to a first protocol and encapsulating them into packets conforming to a 

3 second protocol comprises the substeps of 

4 - taking packets conforming to the Internet Protocol, 

5 - processing said packets according to the IPSEC protocol suite and 

6 - encapsulating the processed packets into packets conforming to the 

7 Transmission Control Protocol. 

1 4. [previously amended] A method according to claim 1 , further comprising the 

2 step of compensating for the network address translations on said second protocol in 

3 the packets that are transmitted from said first computer device to said second 

4 computer device. 

1 5. [previously amended] A method according to claim 4, wherein said step of 

2 compensating for said network address translations comprises a step of performing 

3 address translation based on the information obtained in the step of determining what 

4 network address translations, if any, occur on packets transmitted between said, first 

5 computer device and said second computer device. 
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1 6. [previously amended] A method according to claim 5, wherein said step of 

2 compensating for said network address translations further comprises a step of 

3 performing port number translation based on the information obtained in the step of 

4 determining what network address translations, if any, occur on packets transmitted 

5 between said first computer device and said second computer device. 

1 7. [previously amended] A method according to claim 1 , additionally comprising 

2 the step of periodically transmitting keepalive packets between said first computer device 

3 and said second computer device to ensure that said network address translations, if 

4 any, occurring on packets transmitted between said first computer device and said 

5 second computer device stay the same. 

1 8. [currently amended, previously amended] A method for conditionally setting up 

2 a secure communication connection between a first computer device and a second 

3 computer device through a packet-switched data transmission network including 

4 intermediate computer devices, where at least one of said computer devices performs a 

5 network address translation and/or or_a protocol conversion or both a protocol 

6 conversion and a network address translation , the method comprising the steps of 

7 - finding out, whether or not said second computer device supports a 

8 communication method where: 

9 it is determined what network address translations or and/or 

I 0 protocol conversions or both , if any, occur on packets transmitted 

I I between said first computer device and said second computer device; 
12 if it is found that network address translations or protocol 

1 3 conversions occur on packets transmitted between said first computer 
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1 4 device and said second computer device, packets are taken that conform 

15 to a first protocol and encapsulated into packets that conform to a second 

1 6 protocol, which second protocol is capable of traversing network address 

1 7 translations and/or protocol conversions; 

1 8 said packets conforming to said second protocol are transmitted 

1 9 from said first computer device to said second computer device; 

20 and said transmitted packets conforming to said second protocol 

2 1 are decapsulated into packets conforming to said first protocol, 

22 - as a response to a finding indicating that the second computer device supports 

2 3 said communication method, setting up a secure communication connection 

24 between said first computer device and said second computer device in which 

2 5 communication connection said communication method is employed and 

26 - as a response to a finding indicating that said second computer device does not 

2 7 support said communication method, disabling use of said communication method 

28 between said first and said second computer devices. 

1 9. [previously amended] A method for tunnelling packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network comprising intermediate computer devices, where at least one of 

4 said computer devices performs a network address translation and/or a protocol 

5 conversion, the method comprising the steps of 

6 - establishing a bidirectional tunnelling mode between said first computer device 

7 and said second computer device by exchanging packets conforming to a secure 

8 communication protocol, 

9 - determining if one or more network address translations and/or protocol 
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1 0 conversions occur on packets travelling from said first computer to said second 

1 1 computer, and if so, taking packets conforming to a first protocol and 

1 2 encapsulating them at said first computer device into packets conforming to a 

1 3 second protocol, which second protocol is capable of traversing network 

1 4 address translations, 

1 5 - transmitting said packets conforming to said second protocol from said first 

1 6 computer device to said second computer device, 

1 7 - decapsulating said transmitted packets conforming to said second protocol into 

1 8 packets conforming to said first protocol at the second computer device, 

1 9 - obtaining information about the address translations occurred on packets 

20 transmitted between said first computer device and said second computer device 

21 and 

2 2 - using said obtained information to modify the established bidirectional tunnelling 
2 3 mode between said first computer device and said second computer device. 

1 10. [previously amended] A method according to claim 9, wherein the step of 

2 obtaining information about the address translations occurred on packets transmitted 

3 between said first computer device and said second computer device comprises the 

4 substeps of 

5 - transmitting a packet between said first computer device and said second 

6 computer device, said packet comprising a header part and a payload part, and 

7 - comparing a network address transmitted in said payload part to a network 

8 address transmitted in said header part in order to find out what changes have 

9 occurred on said network address transmitted in said header part. 
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1 11. [previously amended] A method according to claim 9, additionally comprising 

2 the step of periodically transmitting keepalive packets between said first computer device 

3 and said second computer device to ensure that network address translations, if any, 

4 occurring on packets transmitted between said first computer device and said second 

5 computer device stay the same. 

1 12. [previously amended] A method according to claim 9, wherein the step of 

2 using said obtained information to modify the operation of the tunnelling of packets 

3 comprises the substep of introducing an address translation before the encapsulation of 

4 packets in order to compensate for the network address translations that occur on 

5 packets transmitted between said first computer device and said second computer 

6 device. 

1 13. [previously amended] A method according to claim 9, wherein the step of 

2 using said obtained information to modify the operation of the tunnelling of packets 

3 comprises the substep of introducing an address translation after the decapsulation of 

4 packets in order to compensate for the network address translations that occur on 

5 packets transmitted between said first computer device and said second computer 

6 device. 

1 14. [previously amended] A method for tunnelling packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network including intermediate computer devices, in which data 

4 transmission network there exists a security protocol comprising a key management 

5 connection that employs a specific packet format for key management packets, the 
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6 method comprising the steps of 

7 - encapsulating data packets that are not key management packets into said 

8 specific packet format for key management packets, 

9 - transmitting said data packets encapsulated into the specific packet format from 

1 0 said first computer device to said second computer device, 

1 1 - discriminating at said second computer device the data packets encapsulated 
1 2 into the specific packet format from actual key management packets and 

1 3 - decapsulating the data packets encapsulated into the specific packet format. 

1 1 5. [original] A method according to claim 1 4, wherein the step of encapsulating 

2 data packets that are not key management packets comprises the substeps of 

3 - encapsulating data packets that are not key management packets into a key 

4 management packet format specified by the Internet Key Exchange protocol 

5 which defines a certain Initiator Cookie field and 

6 - inserting into the Initiator Cookie field of an encapsulated data packet a value 

7 indicating that the encapsulated packet is a data packet and not a key 

8 management packet. 

1 16. [previously amended] A method for securely communicating packets 

2 between a first computer device and a second computer device through a 

3 packet-switched data transmission network including intermediate computer devices, 

4 where at least one of said computer devices performs a network address translation 

5 and/or a protocol conversion and where a security protocol exists comprising a key 

6 management connection, the method comprising the steps of 

7 - a method for determining what network address translations, if any, occur on 
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8 packets transmitted between said first computer device and said second 

9 computer device: 

1 0 establishing a key management connection according to said 

1 1 security protocol between said first computer device and said second 
1 2 computer device; 

1 3 composing an indicator packet with a header part and a payload 

1 4 part of which both comprise the network addresses of said first computer 
1 5 device and said second computer device as seen by the node composing 
1 6 said packet; 

1 7 transmitting and receiving said indicator packet within said key 

1 8 management connection; and 

1 9 comparing in the received indicator packet the addresses 

20 contained in said header part and said payload part, and 

2 1 - using the information concerning the determined occurrences of network 

2 2 address translations for securely communicating packets between toe- said first 
2 3 computer device and said second computer device. 

1 17. [original] A method according to claim 16, wherein the security protocol 

2 determines a standard port number for a key management connection, and the method 

3 further comprises the step of comparing in the received indicator packet a source port 

4 number against said standard port number for a key management connection. 

1 18. [previously amended] A method for securely communicating packets 

2 between a first computer device and a second computer device through a 

3 packet-switched data transmission network including intermediate computer devices, 
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4 where; 

5 at least one of said computer devices performs a network address 

6 translation and/or a protocol conversion; 

7 and wherein a security protocol is acknowledged which determines 

8 transport-mode processing of packets for transmission and reception; 

9 and wherein a high-level protocol checksum has been determined for 

1 0 checking the integrity of received packets, 

1 1 the method comprising the steps of: 

12 - at said first computer device, performing transport-mode processing for packets 

13 to be transmitted to said second computer device, 

14 - at said second computer device, performing transport-mode processing for 

1 5 packets received from the first computer device, said transport-mode processing 

1 6 comprising the decapsulation of received packets and 

17 - at said second computer device, updating said high-level protocol checksum for 

1 8 decapsulated packets for compensating for changes, if any, caused by network 

1 9 address translations. 

1 19. [previously amended] A method according to claim 18, wherein 

2 - the step of performing transport-mode processing at said first computer device 

3 for packets transmitted to said second computer device takes the form of 

4 performing transport-mode processing as determined in the IPSEC protocol suite, 

5 and 

6 - the step of performing transport-mode processing at said second computer 

7 device for packets received from said first computer device takes the form of 

8 performing transport-mode processing as determined in the IPSEC protocol suite. 
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1 20. [previously amended] A method according to claim 18, additionally comprising 

2 the steps of 

3 - at said first computer device, after performing transport-mode processing for a 

4 packet to be transmitted to the second computer device, if network address 

5 translations and/or protocol conversions will occur on said packet in transmission 

6 to said second computer, encapsulating the processed packet into a packet 

7 conforming to a certain second protocol, which second protocol is capable of 

8 traversing network address translations and/or protocol conversions, and 

9 -at said second computer device, before performing transport-mode processing 

10 for a packet received from said first computer device, decapsulating the received 

1 1 packet from the packet conforming to said second protocol and replacing a 

1 2 number of network addresses in the decapsulated packet with a corresponding 

1 3 number of network addresses taken from the received packet before 

1 4 decapsulation. 

1 21 . [original] A method according to claim 1 8, wherein the step of updating the 

2 high-level protocol checksum takes the form of recomputing the checksum for the 

3 transport-mode-processed packets. 

1 22. [previously amended] A method according to claim 18, wherein the method 

2 additionally comprises the step of obtaining information about the network addresses of 

3 first and second computer devices before and after network address translations, and 

4 the step of updating the high-level protocol checksum takes the form of incrementally 

5 updating the checksum based on the obtained information about the network addresses 
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6 of the first and second computer devices before and after network address translations. 

1 23. [previously amended] A method for maintaining the unchanged form of 

2 address translations performed by network address translation devices on encapsulated 

3 actual data packets transmitted with certain address information between a first 

4 computer device and a second computer device through a packet-switched data 

5 transmission network, the method comprising the step of 

6 - forcing at least one of said first computer device and said second computer 

7 device to transmit to the other computer device keepalive packets with address 

8 information identical to that of actual data packets at a high enough frequency so 

9 that network address translation devices constantly reuse the mappings used for 

I 0 network address translation even when a certain fraction of the packets 

I I communicated between said first computer device and said second computer 
1 2 device are lost in the network. 

Please add the following new claims: 

1 24. [new] A method for securely communicating packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network comprising intermediate computer devices, where at least one of 

4 said intermediate computer devices may perform a network address translation and/or a 

5 protocol conversion resulting in alteration of a packet propagating therethrough, the 

6 method comprising the steps of 

7 - determining what network address translations or protocol conversions, 

8 if any, occur on packets transmitted in a data path between said first computer 

9 device and said second computer device on packets transmitted between said 
1 0 first computer device and said second computer device, 
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11 - if it is found that network address translations and/or protocol 

1 2 conversions occur in said data path between said first computer device and said 

1 3 a second computer device, taking packets conforming to a first protocol and using 

1 4 said first computer device to encapsulate them into packets conforming to a 

1 5 second protocol, said second protocol being capable of traversing network 

1 6 address translations and protocol conversions, 

1 7 - transmitting said packets conforming to said second protocol from said 

1 8 first computer device to said second computer device. 

1 25. [new] The method of claim 24 further comprising the step of determining if 

2 said second computer device supports a secure data communication protocol prior to 

3 performing said step of determining what, if any, network address translations and/or 

4 protocol conversions are occurring in communications between said first computer 

5 device and said second computer device. 

1 26. [new] The method of claim 24 wherein the step of determining what, if any, 

2 network address translations or protocol conversions are occurring in communications 

3 between said first computer device and said second computer device is accomplished 

4 by: 

5 sending at least one IKE Phase 2 Quick Mode message packet from said 

6 first computer device to said second computer device including in its private 

7 payload section P addresses for an initator and responder as seen by said first 

8 computer device, where one of said first and second computer devices is said 

9 initiator and the other of said first and second computer devices is said 
1 0 responder; and 
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1 1 receiving at least one IKE Phase 2 Quick Mode message packet from said 

1 2 second computer device which was sent by said first computer device and 

1 3 including in its private payload section P addresses for said initator and said 

1 4 responder as seen by said second computer device; and 

1 5 in said first computer device, comparing said P addresses in said 

1 6 header(s) of said at least one IKE Phase 2 Quick Mode message packet(s) 

1 7 received from said second computer device to said P addresses in said private 

1 8 payload section, and, if there is a difference, concluding that a network address 

1 9 translation or a protocol conversion or both have occurred on the data path 

20 between said first computer device and said second computer device. 

1 27. [new] The process of claim 26 further comprising the step of periodically 

2 transmitting keepalive packets from said first computer device to said second computer 

3 device if it is determined that NAT or protocol conversions or both are occurring with the 

4 interval between said keepalive packets being set to insure that mappings of said NAT or 

5 protocol conversions or both stay the same. 

1 28. [new] The method of claim 24 wherein the step of determining what, if any, 

2 port translations are occurring in communications between said first computer device 

3 and said second computer device is accomplished by comparing the port number in a 

4 packet header for a packet of a protocol that can withstand port translations and which 

5 encapsulates an IKE protocol packet sent from said second computer device to said first 

6 computer device, and if said port number is not a port number associated with the IKE 

7 protocol, concluding that one or more port translations is occurring on a data path 

8 between said second computer device and said first computer device. 
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1 29. [new] A method for receiving data transmitted in tunneled, secure packets 

2 sent from a first computer device to a second computer device through a 

3 packet-switched data transmission network comprising intermediate computer devices, 

4 where at least one of said intermediate computer devices may perform a network 

5 address translation or a protocol conversion resulting in alteration of a packet 

6 propagating therethrough, and wherein said tunneled, secure packets comprise packets 

7 of a first secure protocol encapsulated in packets of a second protocol which can pass 

8 through network address translations or protocol conversions, the method comprising 

9 the steps of: 

1 0 - decapsulating packets received from said first computer device and 

1 1 conforming to said second protocol to recover packets conforming to said first 
1 2 protocol; and 

1 3 - using said first secure protocol to recover data transmitted in said first 

1 4 secure protocol packets. 

1 30. [new] A method for conditionally setting up a secure communication 

2 connection and communicating data between a first computer device and a second 

3 computer device through a packet-switched data transmission network including 

4 intermediate computer devices, where at least one of said computer devices performs a 

5 network address translation or a protocol conversion or both a protocol conversion and 

6 a network address translation, the method comprising the steps of: 

7 carrying out a negotiation between said first and second computer devices to 

8 determine if said second computer device supports a secure communication protocol 

9 which is incompatible with network address translations or protocol conversions or both; 
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10 as a response to a finding indicating that the second computer device supports 

1 1 said secure communication protocol, setting up a secure communication connection 
1 2 between said first computer device and said second computer device in which 

1 3 communication connection said secure communication protocol is employed; 

14 as a response to a finding indicating that said second computer device does not 

1 5 support said secure communication protocol, disabling use of said secure communication 

1 6 protocol between said first and said second computer devices; 

17 if it is found that said second computer device supports said secure 

1 8 communication protocol, determining what network address translations or protocol 

1 9 conversions or both, if any, occur on packets transmitted between said first computer 

20 device and said second computer device; 

21 if it is found that network address translations or protocol conversions occur on 

22 packets transmitted between said first computer device and said second computer 

2 3 device, taking packets that conform to said secure communication protocol and 

24 encapsulating them into packets that conform to a second protocol, which second 

25 protocol is capable of traversing network address translations or protocol conversions, 

26 or both without violating said second protocol; 

27 if it is found that network address translations or protocol conversions occur on 

28 packets transmitted between said first computer device and said second computer 

2 9 device, periodically transmitting keepalive packets from said first computer device to said 

30 second computer device with the interval between said keepalive packets being set to 

3 1 insure that mappings of said NAT or protocol conversions or both stay the same; 

3 2 transmitting said packets conforming to said second protocol from said first 
3 3 computer device to said second computer device. 



34 
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1 31 . [new] The method of claim 30 wherein said secure communication protocol 

2 is the IPsec protocol, and said second protocol is either the TCP or UDP protocol. 

1 32. [new] The method of claim 30 wherein said step of determining if said 

2 second computer device supports a secure communication protocol includes the step of 

3 finding out whether said second computer supports the IPsec protocol, and wherein said 

4 step of determining what network address translations or protocol conversions or both, 

5 if any, occur on packets transmitted between said first computer device and said second 

6 computer device comprises the steps: 

7 sending at least one IKE Phase 2 Quick Mode message packet from said 

8 first computer device to said second computer device including in its private 

9 payload section P addresses for an initator and responder as seen by said first 

1 0 computer device, where one of said first and second computer devices is said 

1 1 initiator and the other of said first and second computer devices is said 
1 2 responder; and 

1 3 receiving at least one IKE Phase 2 Quick Mode message packet from said 

1 4 second computer device which was sent by said first computer device and 

1 5 including in its private payload section P addresses for said initator and said 

1 6 responder as seen by said second computer device; and 

1 7 in said first computer device, comparing said P addresses in said 

1 8 header(s) of said at least one IKE Phase 2 Quick Mode message packet(s) 

1 9 received from said second computer device to said P addresses in said private 

20 payload section, and, if there is a difference, concluding that a network address 

2 1 translation or a protocol conversion or both have occurred on the data path 
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